CVE Tools

CVE-2025-8869

Fallback tar extraction in pip doesn't check symbolic links point to extraction directory

Published: Sep 24, 2025Updated: Nov 3, 2025 Sources: CVE List NVD GHSA BDU

No Known Exploits

Patch Available

Description

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.

CVSS Vector Breakdown

Exploitability

AV:AAccess Vector

Adjacent Network

AC:LAccess Complexity

Low

Impact

C:NConfidentiality

None

I:HIntegrity

H

A:NAvailability

None

Open in CVSS calculator →

Affected Products

pip Python Packaging Authority

Library

OSS Libraries / pypi

Astra Linux Special Edition ООО «РусБИТех-Астра»

On-premOS

Operating Systems / linux-distro

Python Python Software Foundation OSS Libraries

Android Studio Google Inc

On-premDesktop App

pip PyPI OSS Libraries

python packaging authorityoss-projectOSS Librariesaka pip

ооо «русбитех-астра»commercialRUOperating Systemsaka rusbitech-astra

python software foundationoss-projectUSOSS Librariesaka python software foundation, psf

google inccommercialUSMobile Appsaka google

pypipackage-ecosystemOSS Libraries

Exploitability

Official Patch Available

References

https://github.com/pypa/pip/pull/13550

https://mail.python.org/archives/list/security-announce@python.org/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN/

mail.python.org

https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html

lists.debian.org

and 8 more references View all →

Timeline

Published

Sep 24, 2025

Last Updated

Nov 3, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-8869 and every CVE in our database. Create a free account — no credit card required.

Create Free Account

Plain-language analysis

Impact assessment and exploitation scenario in plain English

Attack graph visualization

Interactive attack path and kill chain mapping

Exploit details & PoC links

ExploitDB, Metasploit, GitHub PoCs with direct links

Nuclei scanner templates

Ready-to-use vulnerability scanner templates

Full remediation guide

Patch instructions, workarounds, and compliance impact

Interactive AI chat

Ask questions about this vulnerability in natural language

Related vulnerabilities

Semantically similar CVEs and attack patterns

REST API & MCP access

Integrate vulnerability data into your workflows